A large-scale phishing operation is leveraging Meta’s legitimate Business Suite infrastructure to steal credentials from thousands of small and medium-sized businesses around the world.
According to security researchers at Check Point, the campaign has distributed more than 40,000 phishing emails to over 5,000 organizations across key industries such as automotive, education, real estate, hospitality, and finance. The attacks have primarily impacted companies in the United States, Europe, Canada, and Australia.
Unlike traditional phishing attempts that rely on spoofed domains or fake websites, this sophisticated campaign uses Meta’s authentic Business Suite invitation system to appear credible. By operating through legitimate Meta infrastructure, attackers have made their phishing emails nearly impossible for standard security filters to detect.
How the Attack Works
The threat actors created fraudulent Facebook Business pages featuring genuine Meta logos and branding. These fake pages were then used to send Business Portfolio invitations that appeared to originate from the official facebookmail.com domain making them indistinguishable from legitimate Meta communications.
The emails employed convincing subject lines such as “Action Required,” “You’re Invited to Join the Free Advertising Credit Program,” and “Account Verification Required.” These messages urged recipients to click embedded links that redirected them to phishing sites hosted on domains like vercel.app.
Once users landed on these pages, they were prompted to enter their Meta credentials and other sensitive information, which was then harvested by the attackers.
Check Point analysts noted that the phishing campaign followed clear, repetitive templates indicating a highly organized, large-scale distribution effort. The use of Meta’s legitimate email infrastructure enabled the attackers to bypass common anti-phishing defenses, as the messages were technically sent from an authentic and trusted domain.
This marks a concerning evolution in cybercriminal tactics: by weaponizing legitimate business features of trusted platforms, attackers can exploit user confidence and evade detection far more effectively than before.
Defense and Mitigation
To defend against these sophisticated phishing schemes, cybersecurity experts recommend several key measures:
- if credentials are stolen, MFA can prevent unauthorized access.
- Staff should be trained to verify invitations and scrutinize links—even those appearing to come from trusted senders.
- Behavioral analysis and AI-driven detection tools can identify subtle anomalies that traditional filters may miss.
- Users should navigate directly to official Meta portals rather than clicking on links within unsolicited emails.
This campaign underscores a troubling trend in cybercrime: the exploitation of trusted digital ecosystems to deliver malicious content. As platforms like Meta continue to integrate deeper into business operations, attackers are increasingly turning these legitimate services into vectors for credential theft.
Organizations must therefore pair strong security technologies with ongoing vigilance and education to stay ahead of these evolving, trust-based phishing tactics
Add a Comment